Author:

Keywords:

cloud, cloud security, security, access control, authorization, Software as a Service

Abstract:

This thesis focuses on access control for Software-as-a-Service (SaaS) applications. Access control is the part of security that aims to constrain which users can access which data in an application by enforcing access rules. SaaS makes up a novel and promising type of applications in which a customer organization rents access to an entire application hosted in the cloud for use through a web browser. Because SaaS applications are typically designed to be used by multiple customer organizations at the same time, application-level access control is of big importance to them. However, SaaS applications also pose new and specific challenges for access control. For example, SaaS access control should enable the provider of the application to control which of its customers can access which parts of the application and should enable these customers to control which of their employees can access which part of their data in the application. In addition, while this functionality by itself is non-trivial, SaaS access control is further complicated by the fact that every customer wants to express its access rules in terms of its own organizational structure, by the fact that SaaS applications are offered to a large amount of customers, and by the fact that these customers do not necessarily trust the provider completely. As such, the goal of this thesis is to design access control techniques for SaaS applications that are able to cope with these challenges. In addition, these techniques should impose low performance overhead on the application, should be easy to use and should be easy to integrate into a SaaS application. In this regard, this thesis provides four distinct contributions: (i) a reusable middleware for efficient access control management of SaaS applications, (ii) the concept of federated authorization, which externalizes access control from a SaaS application, (iii) the technique of policy federation, which improves the performance of federated authorization, and (iv) a technique to enable access rules to be securely evaluated in parallel to support large amounts of requests per second. For each of these contributions, we build upon the state-of-the-art technologies of policy-based access control, attribute-based access control and tree-structured policies. In addition, these contributions have been validated in four distinct case studies of realistic SaaS applications in the domains of automated document processing, automated workforce management and e-health. Finally, we have systematically evaluated these contributions in terms of performance and engineering overhead based on extensive prototypes.